1)Before taking on this activity, formalize it with management (in writing) to include vision, mission statement, and statements of work (SOW) in order to set clear expectations (and keep you from being fired or jailed). Prepare to write reports, and present findings. PT and RT activity is only as good as the dissemination of results and the subsequent remediation. Sure the fun part is going after systems and resources with permission, but the documented follow-up is just as important.

2)A formalized process inclusive of best practices and documentation also supports PT & RT on behalf of compliance requirements (PCI, etc.). Trust me when I say, it’s a lot easier to win the argument for a PT & RT program when you can tell your leadership that it supports meeting compliance requirements. Yes, compliance is often a “min bar” but if it helps get your program underway, you’re winning right?

4)If you’re going to red team, then blue team while you’re at it. A well-devised, concerted offensive engagement against your enterprise is also an ideal opportunity for your defenders to validate their monitoring and hardening practices.

5)While it’s nice to have resident expertise, it’s hard to imagine that every organization has the resources to dedicate personnel exclusively to PT & RT, much as may be the case with dedicated IR resources. Often these duties fall on network engineers and systems administrators with a penchant for security. If so, great; how better to tune red team/blue team chops.

6)The social engineering (SE) aspect of PT & RT activity inevitably includes an organizational political component you should be sensitive to. I’ll cut to the chase, people fall for SE tactics all the time and there is always shame associated with it. Making enemies will not help your cause. Devise SE tactics (educational intranet sites, metrics generators) that don’t necessarily automatically relegate people to the wall of shame/sheep. If you must actually compromise someone, dot your I’s and cross your T’s. Non-invasive recon for likely or ideal targets for whom management signs off before total pwnzorship is in your best interest. Again, your get out of jail free card is very important here. Malfeasance or anomalous behavior from systems belonging to your “victims” can then potentially be attributed to you.